chore(workflows): rename RELEASE_APP_* secrets to ROSEMARY_RELEASER_APP_*#34
Merged
Merged
Conversation
…PP_* The release-bot GitHub App is registered as "Rosemary Releaser". Renaming the secret inputs across release-please.yml, both example callers, and the README to match the Pepper PR Review pattern (PEPPER_PR_REVIEW_*) so the bot family naming stays consistent. No behavior change — pure rename. The reusable workflow's secret-input names, the env var names, the actions/create-github-app-token wiring, the caller examples, and the README docs all flip to the new names. Refs: DEV-225
There was a problem hiding this comment.
Verified against DEV-225 — aligned. The issue documents the Rosemary Releaser GitHub App naming convention, and this PR renames the workflow secret inputs to match (RELEASE_APP_* → ROSEMARY_RELEASER_APP_*). All 18 occurrences updated consistently across the reusable workflow, caller examples, and README. Grep confirms no old names remain.
Tests: N/A (workflow configuration and documentation only).
When you're ready to merge or have questions, just drop @pepper review in a comment and I'll take another look! 🌿
— Pepper
6 tasks
brodkin
added a commit
that referenced
this pull request
May 9, 2026
…lts repo (#35) Adds release-please self-management to SpiceLabsHQ/.github so this repo gets versioned point releases (v0.1.0, v0.1.1, etc.) instead of the current rolling-v1-tag manual moves. What this adds -------------- - .github/workflows/release-please-self.yml — caller workflow on push:main invoking SpiceLabsHQ/.github/.github/workflows/release-please.yml@v1 with the Rosemary Releaser App secrets. The App identity ensures the release PR is authored by rosemary-releaser[bot] AND that tag pushes from the release PR merge can fire downstream workflows. - .github/workflows/release-cascade-check.yml — no-op smoke test that fires on tag push and emits a notice with the actor identity. Lets us confirm end-to-end that tag-cascade auth chain is healthy. - release-please-config.json — release-type: simple, single package at repo root, bootstrap-sha pinned to bce3abd so the first release window starts after PR #34 (the secret-rename) instead of scanning all history. - .release-please-manifest.json — initial state {".": "0.0.0"}. - version.txt — initial 0.0.0 placeholder that release-please will bump on each release (release-type: simple convention). Smoke-test sequence after merge ------------------------------- 1. push:main fires release-please-self.yml 2. release-please scans commits since bootstrap-sha → finds this feat: commit → proposes a release PR for v0.1.0 3. The release PR is authored by rosemary-releaser[bot] (proof point #1) 4. Merging the release PR creates tag v0.1.0 5. The tag push fires release-cascade-check.yml (proof point #2) 6. Cascade check's notice should show actor=rosemary-releaser[bot] Refs: DEV-225
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The release-bot GitHub App is registered as Rosemary Releaser. Renaming the secret inputs across
release-please.yml, both caller examples, and the README to match the Pepper PR Review pattern (PEPPER_PR_REVIEW_*) so the bot family naming stays consistent.Rename map
RELEASE_APP_IDROSEMARY_RELEASER_APP_IDRELEASE_APP_PRIVATE_KEYROSEMARY_RELEASER_APP_PRIVATE_KEYFiles touched
.github/workflows/release-please.yml—secrets:declarations, env wiring,actions/create-github-app-tokeninputs, and inline doc comments (12 spots)examples/caller-release-please.yml— commented-out App-token caller example (2 spots)examples/caller-release-artifacts.yml— header comment cross-referencing the App-token path (1 spot)README.md— Token-strategy table and the Release Artifacts trigger note (2 spots)Pure rename — no behavior change. 18 insertions, 18 deletions.
Why now
DEV-225 setup: the Rosemary Releaser App is being created at the SpiceLabsHQ org with private key + org secrets named
ROSEMARY_RELEASER_APP_ID/ROSEMARY_RELEASER_APP_PRIVATE_KEY. Workflow + docs need to reference those names so callers cansecrets: { ROSEMARY_RELEASER_APP_ID: \${{ secrets.ROSEMARY_RELEASER_APP_ID }}, ... }and have it just work.Test plan